onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

* IOSObjectGroup.cpp (IOSObjectGroup::toString): Refs #1107: first

Browse Source 
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
This commit is contained in:
Vadim Kurland 2010-01-21 03:19:38 +00:00
parent 7385aeb4c0
commit 628b675846
24 changed files with 1650 additions and 910 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2401
#define BUILD_NUM 2402

6
doc/ChangeLog
View File

@ -1,5 +1,11 @@
2010-01-20 vadim <vadim@vk.crocodile.org>
* IOSObjectGroup.cpp (IOSObjectGroup::toString): Refs #1107: first
draft of the object-groups support for Cisco IOS. Controlled by a
checkbox in the "Advanced" settings dialog of the firewall object;
this feature requires IOS v12.4(20)T or later and is off by
default.
* CompilerDriver.cpp (CompilerDriver::validateClusterGroups):
fixes #1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be

34
src/cisco_lib/BaseObjectGroup.cpp
View File

@ -27,6 +27,13 @@
#include "BaseObjectGroup.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <iostream>
#include <sstream>
@ -58,6 +65,15 @@ string BaseObjectGroup::registerGroupName(const std::string &prefix)
return str.str();
}
void BaseObjectGroup::setObjectGroupTypeFromFWObject(FWObject *obj)
{
if (Address::cast(obj)!=NULL) setObjectGroupType(NETWORK);
if (IPService::cast(obj)!=NULL) setObjectGroupType(PROTO);
if (ICMPService::cast(obj)!=NULL) setObjectGroupType(ICMP_TYPE);
if (TCPService::cast(obj)!=NULL) setObjectGroupType(TCP_SERVICE);
if (UDPService::cast(obj)!=NULL) setObjectGroupType(UDP_SERVICE);
}
void BaseObjectGroup::setName(const std::string &prefix)
{
FWObject::setName( registerGroupName(prefix) );
@ -99,8 +115,26 @@ string BaseObjectGroup::getSrvTypeName()
return "";
}
string BaseObjectGroup::getObjectGroupClass()
{
switch (getObjectGroupType())
{
case PROTO:
case ICMP_TYPE:
case TCP_SERVICE:
case UDP_SERVICE: return "service";
default: return "network";
}
return "";
}
string BaseObjectGroup::toString() throw(FWException)
{
return "";
}
string BaseObjectGroup::getObjectGroupHeader()
{
return "";
}

35
src/cisco_lib/BaseObjectGroup.h
View File

@ -31,36 +31,43 @@
#include "fwbuilder/ServiceGroup.h"
#include "fwbuilder/FWException.h"
typedef enum { UNKNOWN,
NETWORK,
PROTO,
ICMP_TYPE,
TCP_SERVICE,
UDP_SERVICE } pix_group_type;
class BaseObjectGroup : public libfwbuilder::Group {
private:
pix_group_type gt;
public:
typedef enum { UNKNOWN,
NETWORK,
PROTO,
ICMP_TYPE,
TCP_SERVICE,
UDP_SERVICE } object_group_type;
private:
object_group_type gt;
static std::map<std::string,int> nc;
protected:
protected:
std::string registerGroupName(const std::string &prefix);
public:
BaseObjectGroup(pix_group_type _gt=UNKNOWN) : libfwbuilder::Group() { gt=_gt; }
public:
BaseObjectGroup(object_group_type _gt=UNKNOWN) : libfwbuilder::Group() { gt=_gt; }
virtual ~BaseObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(BaseObjectGroup);
virtual bool validateChild(FWObject*) { return true; }
void setObjectGroupType(pix_group_type _gt) { gt=_gt; }
pix_group_type getObjectGroupType() { return gt; }
void setObjectGroupType(object_group_type _gt) { gt=_gt; }
object_group_type getObjectGroupType() { return gt; }
void setObjectGroupTypeFromFWObject(libfwbuilder::FWObject *obj);
virtual void setName(const std::string &prefix);
bool isServiceGroup();
bool isObjectGroup();
std::string getSrvTypeName();
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString() throw(libfwbuilder::FWException);
};

157
src/cisco_lib/IOSObjectGroup.cpp Normal file
View File

@ -0,0 +1,157 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "IOSObjectGroup.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <iostream>
#include <sstream>
using namespace libfwbuilder;
using namespace std;
const char *IOSObjectGroup::TYPENAME={"IOSObjectGroup"};
string IOSObjectGroup::toString() throw(FWException)
{
ostringstream ostr;
if (this->size()==0) return "";
ostr << getObjectGroupHeader();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
ostr << " ";
switch (getObjectGroupType())
{
case NETWORK:
{
Address *a = Address::cast(obj);
assert(a!=NULL);
if (AddressRange::cast(a))
{
const InetAddr &start = AddressRange::cast(a)->getRangeStart();
const InetAddr &end = AddressRange::cast(a)->getRangeEnd();
ostr << "range " << start.toString() << " " << end.toString();
} else
{
const InetAddr *addr = a->getAddressPtr();
if (Network::cast(obj)!=NULL)
{
const InetAddr *mask = a->getNetmaskPtr();
ostr << addr->toString() << "/" << mask->getLength();
} else {
ostr << "host " << addr->toString();
}
}
break;
}
case PROTO:
{
Service *s = Service::cast(obj);
assert(s!=NULL);
ostr << s->getProtocolNumber();
break;
}
case ICMP_TYPE:
{
ostr << "icmp ";
ICMPService *s = ICMPService::cast(obj);
assert(s!=NULL);
if ( s->getInt("type")== -1) ostr << "";
else ostr << s->getInt("type");
break;
}
case TCP_SERVICE:
case UDP_SERVICE:
{
if (getObjectGroupType()==TCP_SERVICE) ostr << "tcp ";
else ostr << "udp ";
TCPUDPService *s = TCPUDPService::cast(obj);
assert(s!=NULL);
int rs = s->getDstRangeStart();
int re = s->getDstRangeEnd();
if (rs<0) rs = 0;
if (re<0) re = 0;
if (rs>0 || re>0) {
if (rs==re) ostr << "eq " << rs;
else ostr << "range " << rs << " " << re;
}
else ostr << "range 0 65535";
break;
}
default:
throw FWException("Unknown object group type");
}
ostr << endl;
}
ostr << "exit" << endl << endl;
return ostr.str();
}
string IOSObjectGroup::getObjectGroupClass()
{
switch (this->getObjectGroupType())
{
case NETWORK: return "network";
case PROTO:
case ICMP_TYPE:
case TCP_SERVICE:
case UDP_SERVICE: return "service";
default: throw FWException("Unknown object group type");
}
}
string IOSObjectGroup::getObjectGroupHeader()
{
ostringstream ostr;
ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
ostr << endl;
return ostr.str();
}

45
src/cisco_lib/IOSObjectGroup.h Normal file
View File

@ -0,0 +1,45 @@
/*
Firewall Builder
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __IOSOBJECTGROUP_HH
#define __IOSOBJECTGROUP_HH
#include "BaseObjectGroup.h"
class IOSObjectGroup : public BaseObjectGroup {
public:
IOSObjectGroup(object_group_type _gt=UNKNOWN) : BaseObjectGroup(_gt) { }
virtual ~IOSObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(IOSObjectGroup);
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString() throw(libfwbuilder::FWException);
};
#endif

49
src/cisco_lib/ObjectGroupFactory.cpp Normal file
View File

@ -0,0 +1,49 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "ObjectGroupFactory.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "PIXObjectGroup.h"
#include "IOSObjectGroup.h"
#include <string>
using namespace libfwbuilder;
using namespace std;
BaseObjectGroup* ObjectGroupFactory::createObjectGroup(
Firewall *fw, BaseObjectGroup::object_group_type _gt)
{
string platform = fw->getStr("platform");
if (platform == "pix" || platform == "fwsm") return new PIXObjectGroup(_gt);
if (platform == "iosacl") return new IOSObjectGroup(_gt);
return NULL;
}

42
src/cisco_lib/ObjectGroupFactory.h Normal file
View File

@ -0,0 +1,42 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __OBJECT_GROUP_FACTORY_HH__
#define __OBJECT_GROUP_FACTORY_HH__
#include "BaseObjectGroup.h"
namespace libfwbuilder {
class Firewall;
};
class ObjectGroupFactory {
public:
static BaseObjectGroup *createObjectGroup(
libfwbuilder::Firewall *fw,
BaseObjectGroup::object_group_type _gt=BaseObjectGroup::UNKNOWN);
};
#endif

53
src/cisco_lib/PIXObjectGroup.cpp
View File

@ -48,31 +48,7 @@ string PIXObjectGroup::toString() throw(FWException)
if (this->size()==0) return "";
switch (this->getObjectGroupType())
{
case NETWORK:
ostr << "object-group network "
<< this->getName() << endl;
break;
case PROTO:
ostr << "object-group protocol "
<< this->getName() << endl;
break;
case ICMP_TYPE:
ostr << "object-group icmp-type "
<< this->getName() << endl;
break;
case TCP_SERVICE:
ostr << "object-group service "
<< this->getName() << " tcp" << endl;
break;
case UDP_SERVICE:
ostr << "object-group service "
<< this->getName() << " udp" << endl;
break;
default:
throw FWException("Unknown object group type");
}
ostr << getObjectGroupHeader();
for (FWObject::iterator i1=this->begin(); i1!=this->end(); ++i1)
{
@ -150,3 +126,30 @@ string PIXObjectGroup::toString() throw(FWException)
return ostr.str();
}
string PIXObjectGroup::getObjectGroupClass()
{
switch (this->getObjectGroupType())
{
case NETWORK: return "network";
case PROTO: return "protocol";
case ICMP_TYPE: return "icmp-type";
case TCP_SERVICE: return "service";
case UDP_SERVICE: return "service";
default: throw FWException("Unknown object group type");
}
}
string PIXObjectGroup::getObjectGroupHeader()
{
ostringstream ostr;
ostr << "object-group " << getObjectGroupClass() << " " << this->getName();
switch (this->getObjectGroupType())
{
case TCP_SERVICE: ostr << " tcp"; break;
case UDP_SERVICE: ostr << " udp"; break;
default: break;
}
ostr << endl;
return ostr.str();
}

4
src/cisco_lib/PIXObjectGroup.h
View File

@ -32,10 +32,12 @@
class PIXObjectGroup : public BaseObjectGroup {
public:
PIXObjectGroup(pix_group_type _gt=UNKNOWN) : BaseObjectGroup(_gt) { }
PIXObjectGroup(object_group_type _gt=UNKNOWN) : BaseObjectGroup(_gt) { }
virtual ~PIXObjectGroup() {};
DECLARE_FWOBJECT_SUBTYPE(PIXObjectGroup);
virtual std::string getObjectGroupClass();
virtual std::string getObjectGroupHeader();
virtual std::string toString() throw(libfwbuilder::FWException);
};

2
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -66,6 +66,8 @@ PolicyCompiler_cisco::PolicyCompiler_cisco(FWObjectDatabase *_db,
OSConfigurator *_oscnf) :
PolicyCompiler(_db, fw, ipv6_policy, _oscnf) , helper(this)
{
object_groups = new Group();
dbcopy->add( object_groups );
}
int PolicyCompiler_cisco::prolog()

63
src/cisco_lib/PolicyCompiler_cisco.h
View File

@ -33,6 +33,7 @@
#include "Helper.h"
#include "ACL.h"
#include "BaseObjectGroup.h"
namespace libfwbuilder {
class IPService;
@ -421,11 +422,69 @@ protected:
};
/**
* this processor creates PIX-specific object groups
* (PIX CLI command "object-group") for rules with
* more than one object in src or dst or srv
*/
class CreateObjectGroups : public PolicyRuleProcessor
{
std::string re_type;
std::string name_suffix;
BaseObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
public:
CreateObjectGroups(const std::string &name,
const std::string &_ns,
const std::string &_type) :
PolicyRuleProcessor(name) {re_type=_type; name_suffix=_ns; }
virtual bool processNext();
};
friend class PolicyCompiler_cisco::CreateObjectGroups;
class CreateObjectGroupsForSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrc(const std::string &n):
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
};
class CreateObjectGroupsForDst : public CreateObjectGroups
{
public:
CreateObjectGroupsForDst(const std::string &n):
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
};
class CreateObjectGroupsForSrv : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrv(const std::string &n):
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* processors, then prints all object groups and feeds all
* rules to the next processor. Usually this processor is in
* chain right before PrintRules.
*
*/
class printObjectGroups : public PolicyRuleProcessor
{
public:
printObjectGroups(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_cisco::printObjectGroups;
protected:
Helper helper;
std::map<std::string,ciscoACL*> acls;
Helper helper;
std::map<std::string,ciscoACL*> acls;
// storage for object groups created to be used with PIX command object-group
libfwbuilder::Group *object_groups;
virtual std::string myPlatformName();

175
src/cisco_lib/PolicyCompiler_cisco_object_groups.cpp Normal file
View File

@ -0,0 +1,175 @@
/*
Firewall Builder
Copyright (C) 2010 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "config.h"
#include "PolicyCompiler_cisco.h"
#include "ObjectGroupFactory.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include <iostream>
#include <assert.h>
#include <QString>
#include <QStringList>
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
BaseObjectGroup* PolicyCompiler_cisco::CreateObjectGroups::findObjectGroup(
RuleElement *re)
{
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(compiler);
list<FWObject*> relement;
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = FWReference::getObject(o);
relement.push_back(obj);
}
for (FWObject::iterator i=cisco_comp->object_groups->begin();
i!=cisco_comp->object_groups->end(); ++i)
{
BaseObjectGroup *og=dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0 || (og->size()!=re->size()) ) continue;
bool match=true;
for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
if ( find(relement.begin(), relement.end(), obj)==relement.end() )
{
match=false;
break;
}
}
if (match) return og;
}
return NULL;
}
bool PolicyCompiler_cisco::CreateObjectGroups::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(compiler);
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
assert(rule_iface);
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1) // no need to create object-group since there is single object in the rule element
{
tmp_queue.push_back(rule);
return true;
}
BaseObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
//obj_group= new BaseObjectGroup();
obj_group = ObjectGroupFactory::createObjectGroup(compiler->fw);
FWObject *o = re->front();
FWObject *obj = FWReference::getObject(o);
obj_group->setObjectGroupTypeFromFWObject(obj);
QStringList gn;
if (!rule_iface->getLabel().empty())
gn.push_back(rule_iface->getLabel().c_str());
gn.push_back(rule->getUniqueId().c_str());
gn.push_back(name_suffix.c_str());
obj_group->setName(gn.join(".").toStdString());
cisco_comp->object_groups->add(obj_group);
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
obj_group->addRef( obj );
}
}
re->clearChildren(false); // do not want to destroy children objects
re->addRef(obj_group);
assert(re->size()==1);
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_cisco::printObjectGroups::processNext()
{
PolicyCompiler_cisco *cisco_comp=dynamic_cast<PolicyCompiler_cisco*>(compiler);
slurp();
if (tmp_queue.size()==0) return false;
for (FWObject::iterator i=cisco_comp->object_groups->begin();
i!=cisco_comp->object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0) continue;
cisco_comp->output << endl;
try
{
cisco_comp->output << og->toString();
} catch (FWException &ex)
{
compiler->abort(ex.toString());
}
}
return true;
}

34
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -149,7 +149,7 @@ bool PolicyCompiler_iosacl::checkForDynamicInterface::processNext()
bool PolicyCompiler_iosacl::SpecialServices::processNext()
{
PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
//PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Service *s=compiler->getFirstSrv(rule);
@ -179,6 +179,10 @@ void PolicyCompiler_iosacl::compile()
if (ipv6) banner += ", IPv6";
info(banner);
string version = fw->getStr("version");
bool supports_object_groups = XMLTools::version_compare(version, "12.4")>=0 &&
fw->getOptionsObject()->getBool("iosacl_use_object_groups");
try
{
string vers = fw->getStr("version");
@ -280,7 +284,9 @@ void PolicyCompiler_iosacl::compile()
add( new checkForUnnumbered("check for unnumbered interfaces"));
add( new addressRanges ("process address ranges" ) );
if ( ! supports_object_groups)
add( new addressRanges("process address ranges"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new setInterfaceAndDirectionBySrc(
@ -310,23 +316,29 @@ void PolicyCompiler_iosacl::compile()
add( new removeRedundantAddressesFromDst(
"remove redundant addresses from Dst") );
add( new ConvertToAtomic ("convert to atomic rules" ) );
add( new simplePrintProgress());
add( new createNewCompilerPass ("Creating ACLs ..."));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
// add( new ClearACLs("Clear ACLs"));
if (supports_object_groups)
{
add( new CreateObjectGroupsForSrc("create object groups for Src"));
add( new CreateObjectGroupsForDst("create object groups for Dst"));
add( new CreateObjectGroupsForSrv("create object groups for Srv"));
} else
{
add( new ConvertToAtomic ("convert to atomic rules" ) );
}
add( new simplePrintProgress());
add( new createNewCompilerPass("Creating object groups and ACLs"));
add( new printClearCommands("clear commands for object-groups and ACLs"));
add( new printObjectGroups("generate code for object groups"));
// This processor prints each ACL separately in one block.
// It adds comments inside to denote original rules.
//
add( new PrintCompleteACLs("Print ACLs"));
// add( new PrintRule("generate code for ACLs"));
add( new simplePrintProgress());
runRuleProcessors();

14
src/cisco_lib/PolicyCompiler_iosacl.h
View File

@ -177,6 +177,13 @@ namespace fwcompiler {
};
friend class PolicyCompiler_iosacl::ClearACLs;
/**
* printClearCommands prints "clear" commands for object-groups
* and ACLs
*/
DECLARE_POLICY_RULE_PROCESSOR(printClearCommands);
friend class PolicyCompiler_iosacl::printClearCommands;
/**
* this processor prints single policy rule, assuming all
* groups have been expanded, so source, destination and
@ -243,11 +250,8 @@ namespace fwcompiler {
friend class PolicyCompiler_iosacl::PrintCompleteACLs;;
bool resetinbound;
bool fragguard;
// storage for object groups created to be used with IOSACL command object-group
libfwbuilder::Group *object_groups;
bool resetinbound;
bool fragguard;
protected:

164
src/cisco_lib/PolicyCompiler_iosacl_writers.cpp
View File

@ -24,6 +24,7 @@
*/
#include "PolicyCompiler_iosacl.h"
#include "IOSObjectGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressRange.h"
@ -46,13 +47,6 @@
#include "fwbuilder/XMLTools.h"
#include <iostream>
#if __GNUC__ > 3 || \
(__GNUC__ == 3 && (__GNUC_MINOR__ > 2 || (__GNUC_MINOR__ == 2 ) ) ) || \
_MSC_VER
# include <streambuf>
#else
# include <streambuf.h>
#endif
#include <iomanip>
#include <fstream>
#include <sstream>
@ -117,6 +111,54 @@ bool PolicyCompiler_iosacl::ClearACLs::processNext()
return true;
}
bool PolicyCompiler_iosacl::printClearCommands::processNext()
{
PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (iosacl_comp->ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
slurp();
if (tmp_queue.size()==0) return false;
if (!compiler->inSingleRuleCompileMode())
{
// No need to output "clear" commands in single rule compile mode
if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=iosacl_comp->acls.begin();
i!=iosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLCmd << " " << acl->workName() << endl;
}
compiler->output << endl;
for (FWObject::iterator i=iosacl_comp->object_groups->begin();
i!=iosacl_comp->object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
assert(og!=NULL);
compiler->output << "no " << og->getObjectGroupHeader();
}
}
}
compiler->output << endl;
return true;
}
void PolicyCompiler_iosacl::PrintCompleteACLs::printRulesForACL::operator()(
Rule* rule)
{
@ -139,33 +181,10 @@ void PolicyCompiler_iosacl::PrintCompleteACLs::printRulesForACL::operator()(
bool PolicyCompiler_iosacl::PrintCompleteACLs::processNext()
{
PolicyCompiler_iosacl *iosacl_comp=dynamic_cast<PolicyCompiler_iosacl*>(compiler);
string vers = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
string xml_element = "clear_ip_acl";
if (iosacl_comp->ipv6) xml_element = "clear_ipv6_acl";
string clearACLCmd = Resources::platform_res[platform]->getResourceStr(
string("/FWBuilderResources/Target/options/")+
"version_"+vers+"/iosacl_commands/" + xml_element);
assert( !clearACLCmd.empty());
slurp();
if (tmp_queue.size()==0) return false;
if ( compiler->fw->getOptionsObject()->getBool("iosacl_acl_basic") ||
compiler->fw->getOptionsObject()->getBool("iosacl_acl_substitution"))
{
for (map<string,ciscoACL*>::iterator i=iosacl_comp->acls.begin();
i!=iosacl_comp->acls.end(); ++i)
{
ciscoACL *acl=(*i).second;
compiler->output << clearACLCmd << " " << acl->workName() << endl;
}
compiler->output << endl;
}
string addr_family_prefix = "ip";
if (iosacl_comp->ipv6) addr_family_prefix = "ipv6";
@ -194,8 +213,7 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
PolicyCompiler_iosacl *iosacl_comp =
dynamic_cast<PolicyCompiler_iosacl*>(compiler);
//FWOptions *ruleopt =rule->getOptionsObject();
bool write_comments =
compiler->fw->getOptionsObject()->getBool("iosacl_include_comments");
//bool write_comments = compiler->fw->getOptionsObject()->getBool("iosacl_include_comments");
ostringstream ruleout;
ostringstream aclstr;
@ -218,9 +236,9 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
assert(dst->size()==1);
assert(srv->size()==1);
FWObject *srcobj=src->front();
FWObject *dstobj=dst->front();
FWObject *srvobj=srv->front();
FWObject *srcobj = src->front();
FWObject *dstobj = dst->front();
FWObject *srvobj = srv->front();
assert(srcobj);
assert(dstobj);
@ -254,17 +272,79 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
aclstr << _printAction(rule);
aclstr << _printProtocol(Service::cast(srvobj));
aclstr << _printAddr( compiler->getFirstSrc(rule) );
aclstr << _printSrcService( compiler->getFirstSrv(rule) );
aclstr << _printAddr( compiler->getFirstDst(rule) );
aclstr << _printDstService( compiler->getFirstSrv(rule) );
IOSObjectGroup *pgsrc = IOSObjectGroup::cast(srcobj);
IOSObjectGroup *pgdst = IOSObjectGroup::cast(dstobj);
IOSObjectGroup *pgsrv = IOSObjectGroup::cast(srvobj);
/*
* Possible configurations:
*
* permit object-group service_group object-group src_grp object-group dst_grp
* permit object-group service_group SRC_SPEC DST_SPEC
* permit <proto> SRC_SPEC <src_ports> DST_SPEC <dst_ports>
*
* Where SRC_SPEC and DST_SPEC are
* obejct-group network_group
* or traidtional <address> <wildcard_bits>
*
*/
if ( pgsrv!=NULL && pgsrv->isServiceGroup())
{
aclstr << "object-group " << pgsrv->getName();
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
} else
{
// Service is not object group
aclstr << _printProtocol(Service::cast(srvobj));
aclstr << " ";
if ( pgsrc!=NULL && pgsrc->isObjectGroup())
{
aclstr << "object-group " << pgsrc->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstSrc(rule) );
}
aclstr << _printSrcService( compiler->getFirstSrv(rule) );
if ( pgdst!=NULL && pgdst->isObjectGroup())
{
aclstr << "object-group " << pgdst->getName();
aclstr << " ";
} else
{
aclstr << _printAddr( compiler->getFirstDst(rule) );
}
aclstr << _printDstService( compiler->getFirstSrv(rule) );
}
aclstr << _printLog( rule );
// "fragments" should be the last option in the access-list command
aclstr << _printIPServiceOptions(rule);
// aclstr << endl;
if (compiler->fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"))
{
ruleout << acl->addRemark(rule->getLabel(), rule->getComment());

97
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -90,9 +90,6 @@ int PolicyCompiler_pix::prolog()
if (platform!="pix" && platform!="fwsm")
abort("Unsupported platform " + platform );
object_groups=new Group();
dbcopy->add( object_groups );
if (!inSingleRuleCompileMode())
{
output << "!################" << endl;
@ -579,96 +576,6 @@ bool PolicyCompiler_pix::AvoidObjectGroup::processNext()
return true;
}
PIXObjectGroup* PolicyCompiler_pix::CreateObjectGroups::findObjectGroup(RuleElement *re)
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
list<FWObject*> relement;
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = FWReference::getObject(o);
relement.push_back(obj);
}
for (FWObject::iterator i=pix_comp->object_groups->begin();
i!=pix_comp->object_groups->end(); ++i)
{
PIXObjectGroup *og=dynamic_cast<PIXObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0 || (og->size()!=re->size()) ) continue;
bool match=true;
for (FWObject::iterator i1=og->begin(); i1!=og->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
if ( find(relement.begin(), relement.end(), obj)==relement.end() )
{
match=false;
break;
}
}
if (match) return og;
}
return NULL;
}
bool PolicyCompiler_pix::CreateObjectGroups::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
assert(rule_iface);
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1) // no need to create object-group since there is single object in the rule element
{
tmp_queue.push_back(rule);
return true;
}
PIXObjectGroup *obj_group = findObjectGroup(re);
if (obj_group==NULL)
{
obj_group= new PIXObjectGroup();
FWObject *o = re->front();
FWObject *obj = FWReference::getObject(o);
if (Address::cast(obj)!=NULL) obj_group->setObjectGroupType(NETWORK);
if (IPService::cast(obj)!=NULL) obj_group->setObjectGroupType(PROTO);
if (ICMPService::cast(obj)!=NULL) obj_group->setObjectGroupType(ICMP_TYPE);
if (TCPService::cast(obj)!=NULL) obj_group->setObjectGroupType(TCP_SERVICE);
if (UDPService::cast(obj)!=NULL) obj_group->setObjectGroupType(UDP_SERVICE);
obj_group->setName(
rule_iface->getLabel()+"."+rule->getUniqueId()+"."+name_suffix);
pix_comp->object_groups->add(obj_group);
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
obj_group->addRef( obj );
}
}
re->clearChildren(false); // do not want to destroy children objects
re->addRef(obj_group);
assert(re->size()==1);
tmp_queue.push_back(rule);
return true;
}
void PolicyCompiler_pix::compile()
{
string banner = " Compiling ruleset " + getSourceRuleSet()->getName();
@ -866,8 +773,8 @@ void PolicyCompiler_pix::compile()
add( new createNewCompilerPass("Creating object groups and ACLs ..."));
add( new PrintObjectGroupsAndClearCommands(
"Clear ACLs and generate code for object groups"));
add( new printClearCommands("Clear ACLs and object groups"));
add( new printObjectGroups("generate code for object groups"));
add( new PrintRule("generate code for ACLs"));
add( new simplePrintProgress());

51
src/cisco_lib/PolicyCompiler_pix.h
View File

@ -27,7 +27,6 @@
#define __POLICYCOMPILER_PIX_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "PIXObjectGroup.h"
#include "fwcompiler/PolicyCompiler.h"
#include "fwbuilder/RuleElement.h"
@ -199,47 +198,6 @@ namespace fwcompiler {
*/
DECLARE_POLICY_RULE_PROCESSOR( splitIfTelnetSSHICMPtoFw );
/**
* this processor creates PIX-specific object groups
* (PIX CLI command "object-group") for rules with
* more than one object in src or dst or srv
*/
class CreateObjectGroups : public PolicyRuleProcessor
{
std::string re_type;
std::string name_suffix;
PIXObjectGroup* findObjectGroup(libfwbuilder::RuleElement *re);
public:
CreateObjectGroups(const std::string &name,
const std::string &_ns,
const std::string &_type) :
PolicyRuleProcessor(name) {re_type=_type; name_suffix=_ns; }
virtual bool processNext();
};
friend class PolicyCompiler_pix::CreateObjectGroups;
class CreateObjectGroupsForSrc : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrc(const std::string &n):
CreateObjectGroups(n,"src",libfwbuilder::RuleElementSrc::TYPENAME) {}
};
class CreateObjectGroupsForDst : public CreateObjectGroups
{
public:
CreateObjectGroupsForDst(const std::string &n):
CreateObjectGroups(n,"dst",libfwbuilder::RuleElementDst::TYPENAME) {}
};
class CreateObjectGroupsForSrv : public CreateObjectGroups
{
public:
CreateObjectGroupsForSrv(const std::string &n):
CreateObjectGroups(n,"srv",libfwbuilder::RuleElementSrv::TYPENAME) {}
};
/**
* this processor accumulates all rules fed to it by previous
* * processors, then prints PIX commands to clear
@ -252,13 +210,13 @@ namespace fwcompiler {
* they need to be generated when all access lists have been
* created but before they are printed.
*/
class PrintObjectGroupsAndClearCommands : public PolicyRuleProcessor
class printClearCommands : public PolicyRuleProcessor
{
public:
PrintObjectGroupsAndClearCommands(const std::string &n) : PolicyRuleProcessor(n) {}
printClearCommands(const std::string &n) : PolicyRuleProcessor(n) {}
virtual bool processNext();
};
friend class PolicyCompiler_pix::PrintObjectGroupsAndClearCommands;
friend class PolicyCompiler_pix::printClearCommands;
class AvoidObjectGroup : public PolicyRuleProcessor
{
@ -307,9 +265,6 @@ namespace fwcompiler {
bool resetinbound;
bool fragguard;
// storage for object groups created to be used with PIX command object-group
libfwbuilder::Group *object_groups;
NATCompiler_pix *natcmp;
protected:

23
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -64,7 +64,7 @@ using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
bool PolicyCompiler_pix::printClearCommands::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
string vers = compiler->fw->getStr("version");
@ -115,25 +115,6 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
}
}
for (FWObject::iterator i=pix_comp->object_groups->begin();
i!=pix_comp->object_groups->end(); ++i)
{
PIXObjectGroup *og=dynamic_cast<PIXObjectGroup*>(*i);
assert(og!=NULL);
if (og->size()==0) continue;
pix_comp->output << endl;
try
{
pix_comp->output << og->toString();
} catch (FWException &ex)
{
compiler->abort(ex.toString());
}
}
return true;
}
@ -342,7 +323,7 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
assert(rule_iface);
if ( PIXObjectGroup::cast(srv)!=NULL &&
PIXObjectGroup::cast(srv)->getObjectGroupType()==ICMP_TYPE)
PIXObjectGroup::cast(srv)->getObjectGroupType()==BaseObjectGroup::ICMP_TYPE)
{
for (FWObject::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{

7
src/cisco_lib/cisco_lib.pro
View File

@ -6,7 +6,8 @@ TEMPLATE = lib
#
SOURCES = PolicyCompiler_cisco.cpp \
PolicyCompiler_cisco_acls.cpp \
RoutingCompiler_cisco.cpp \
PolicyCompiler_cisco_object_groups.cpp \
RoutingCompiler_cisco.cpp \
RoutingCompiler_cisco_writers.cpp \
ACL.cpp \
Helper.cpp \
@ -25,6 +26,8 @@ SOURCES = PolicyCompiler_cisco.cpp \
OSConfigurator_pix_os_fixups.cpp \
BaseObjectGroup.cpp \
PIXObjectGroup.cpp \
IOSObjectGroup.cpp \
ObjectGroupFactory.cpp \
PolicyCompiler_pix.cpp \
PolicyCompiler_pix_writers.cpp \
PolicyCompiler_pix_v6_acls.cpp \
@ -44,6 +47,8 @@ HEADERS = ../../config.h \
OSConfigurator_pix_os.h \
BaseObjectGroup.h \
PIXObjectGroup.h \
IOSObjectGroup.h \
ObjectGroupFactory.h \
PolicyCompiler_pix.h \
RoutingCompiler_pix.h \

3
src/gui/iosaclAdvancedDialog.cpp
View File

@ -244,6 +244,9 @@ iosaclAdvancedDialog::iosaclAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption( m_dialog->iosacl_acl_basic, fwoptions,
"iosacl_acl_basic" );
data.registerOption( m_dialog->iosacl_use_object_groups, fwoptions,
"iosacl_use_object_groups" );
/*
data.registerOption( m_dialog->iosacl_acl_alwaysNew, fwoptions,
"iosacl_acl_always_new" );

877
src/gui/iosacladvanceddialog_q.ui
View File

@ -1,11 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<ui version="4.0" >
<class>iosaclAdvancedDialog_q</class>
<widget class="QDialog" name="iosaclAdvancedDialog_q">
<property name="enabled">
<widget class="QDialog" name="iosaclAdvancedDialog_q" >
<property name="enabled" >
<bool>true</bool>
</property>
<property name="geometry">
<property name="geometry" >
<rect>
<x>0</x>
<y>0</y>
@ -13,54 +12,51 @@
<height>733</height>
</rect>
</property>
<property name="windowTitle">
<property name="windowTitle" >
<string>IOS ACL Firewall Settings</string>
</property>
<property name="sizeGripEnabled">
<property name="sizeGripEnabled" >
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout_5">
<item row="0" column="0">
<widget class="QTabWidget" name="tabWidget">
<property name="currentIndex">
<layout class="QGridLayout" name="gridLayout_5" >
<item row="0" column="0" >
<widget class="QTabWidget" name="tabWidget" >
<property name="currentIndex" >
<number>0</number>
</property>
<widget class="QWidget" name="compiler_tab">
<attribute name="title">
<widget class="QWidget" name="compiler_tab" >
<attribute name="title" >
<string>Compiler Options</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_6">
<property name="verticalSpacing">
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_5">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<layout class="QGridLayout" name="gridLayout_9" >
<item row="0" column="0" >
<widget class="QLabel" name="textLabel1_5" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension &quot;.fw&quot;)</string>
<property name="text" >
<string>Output file name (if left blank, the file name is constructed of the firewall object name and extension ".fw")</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="outputFileName">
<property name="minimumSize">
<item row="0" column="1" >
<widget class="QLineEdit" name="outputFileName" >
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<property name="maximumSize" >
<size>
<width>32767</width>
<height>22</height>
@ -68,43 +64,43 @@
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QGroupBox" name="groupBox">
<property name="enabled">
<item row="1" column="0" colspan="2" >
<widget class="QGroupBox" name="groupBox" >
<property name="enabled" >
<bool>false</bool>
</property>
<property name="title">
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_4">
<property name="verticalSpacing">
<layout class="QGridLayout" name="gridLayout_4" >
<property name="verticalSpacing" >
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QRadioButton" name="separate_acls_for_interfaces">
<property name="toolTip">
<item row="0" column="0" >
<widget class="QRadioButton" name="separate_acls_for_interfaces" >
<property name="toolTip" >
<string>Compiler creates multiple access lists from the same policy,
two for each interface: one for inbound and another for
outbound. If the policy is written in a such way that no rule
can possibly be associated with an interface, this interface
gets no access list at all. Also, interfaces marked as
&quot;unprotected&quot; never get access list regardless of how the policy
"unprotected" never get access list regardless of how the policy
rules are designed.
</string>
</property>
<property name="text">
<property name="text" >
<string>Generate separate access list for each interface</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="one_acl_for_all_interfaces">
<property name="toolTip">
<item row="1" column="0" >
<widget class="QRadioButton" name="one_acl_for_all_interfaces" >
<property name="toolTip" >
<string>Compiler creates one access list and assigns it to all
interfaces.
</string>
</property>
<property name="text">
<property name="text" >
<string>Create one access list and attach it to all interfaces</string>
</property>
</widget>
@ -112,81 +108,82 @@ interfaces.
</layout>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QGroupBox" name="frame114">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<item row="2" column="0" colspan="2" >
<widget class="QGroupBox" name="frame114" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<property name="title" >
<string>Policy Compiler Options</string>
</property>
<property name="flat">
<property name="flat" >
<bool>false</bool>
</property>
<property name="checkable">
<property name="checkable" >
<bool>false</bool>
</property>
<layout class="QGridLayout">
<property name="verticalSpacing">
<number>20</number>
</property>
<property name="margin">
<number>12</number>
</property>
<item row="5" column="0">
<widget class="QCheckBox" name="iosacl_ignore_empty_groups">
<property name="toolTip">
<layout class="QGridLayout" name="gridLayout_6" >
<item row="0" column="0" >
<widget class="QCheckBox" name="iosacl_ignore_empty_groups" >
<property name="toolTip" >
<string>If the option is deactivated, compiler treats empty groups as an error and aborts processing the policy. If this option is activated, compiler removes all empty groups from all rule elements. If rule element becomes 'any' after the last empty group has been removed, the whole rule will be ignored. Use this option only if you fully understand how it works!</string>
</property>
<property name="text">
<property name="text" >
<string>Ignore empty groups in rules</string>
</property>
</widget>
</item>
<item row="6" column="0">
<widget class="QCheckBox" name="iosacl_check_shadowing">
<property name="toolTip">
<item row="1" column="0" >
<widget class="QCheckBox" name="iosacl_check_shadowing" >
<property name="toolTip" >
<string>Shadowing happens because a rule is a superset of a subsequent rule and any packets potentially matched by the subsequent rule have already been matched by the prior rule.</string>
</property>
<property name="text">
<property name="text" >
<string>Detect rule shadowing in the policy</string>
</property>
</widget>
</item>
<item row="2" column="0" >
<widget class="QCheckBox" name="iosacl_use_object_groups" >
<property name="text" >
<string>Use object-group statements (requires IOS v12.4(20)T and later)</string>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="3" column="0" colspan="2">
<widget class="QCheckBox" name="mgmt_ssh">
<property name="text">
<item row="3" column="0" colspan="2" >
<widget class="QCheckBox" name="mgmt_ssh" >
<property name="text" >
<string>Always permit ssh access from the management workstation with this address:</string>
</property>
<property name="checkable">
<property name="checkable" >
<bool>true</bool>
</property>
<property name="checked">
<property name="checked" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="4" column="0">
<widget class="QLineEdit" name="mgmt_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<item row="4" column="0" >
<widget class="QLineEdit" name="mgmt_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<property name="maximumSize" >
<size>
<width>32767</width>
<height>22</height>
@ -194,12 +191,12 @@ interfaces.
</property>
</widget>
</item>
<item row="4" column="1">
<spacer name="horizontalSpacer_2">
<property name="orientation">
<item row="4" column="1" >
<spacer name="horizontalSpacer_2" >
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>328</width>
<height>20</height>
@ -207,15 +204,15 @@ interfaces.
</property>
</spacer>
</item>
<item row="5" column="0">
<item row="5" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>170</height>
@ -225,61 +222,61 @@ interfaces.
</item>
</layout>
</widget>
<widget class="QWidget" name="script_options_tab">
<attribute name="title">
<widget class="QWidget" name="script_options_tab" >
<attribute name="title" >
<string>Script Options</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<layout class="QGridLayout" >
<property name="leftMargin" >
<number>20</number>
</property>
<property name="topMargin">
<property name="topMargin" >
<number>12</number>
</property>
<property name="rightMargin">
<property name="rightMargin" >
<number>20</number>
</property>
<property name="bottomMargin">
<property name="bottomMargin" >
<number>20</number>
</property>
<item row="1" column="0">
<widget class="QGroupBox" name="frame170">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<item row="1" column="0" >
<widget class="QGroupBox" name="frame170" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Expanding" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_7">
<item row="0" column="0">
<widget class="QCheckBox" name="iosacl_include_comments">
<property name="toolTip">
<layout class="QGridLayout" name="gridLayout_7" >
<item row="0" column="0" >
<widget class="QCheckBox" name="iosacl_include_comments" >
<property name="toolTip" >
<string>Insert comments into generated IOSACL configuration file</string>
</property>
<property name="text">
<property name="text" >
<string>Comment the code</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="iosacl_use_acl_remarks">
<property name="toolTip">
<item row="1" column="0" >
<widget class="QCheckBox" name="iosacl_use_acl_remarks" >
<property name="toolTip" >
<string>Insert comments into generated IOSACL configuration file</string>
</property>
<property name="text">
<property name="text" >
<string>Use ACL remarks</string>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QCheckBox" name="iosacl_regroup_commands">
<property name="toolTip">
<item row="2" column="0" >
<widget class="QCheckBox" name="iosacl_regroup_commands" >
<property name="toolTip" >
<string>Group IOSACL commands in the script so that similar commands appear next to each other, just like IOSACL does it when you use 'show config'</string>
</property>
<property name="text">
<property name="text" >
<string>Group similar commands together</string>
</property>
</widget>
@ -287,68 +284,68 @@ interfaces.
</layout>
</widget>
</item>
<item row="0" column="0">
<widget class="QGroupBox" name="buttonGroup10">
<property name="sizePolicy">
<sizepolicy hsizetype="Preferred" vsizetype="Expanding">
<item row="0" column="0" >
<widget class="QGroupBox" name="buttonGroup10" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Expanding" hsizetype="Preferred" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="title">
<property name="title" >
<string/>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>12</number>
</property>
<property name="spacing">
<property name="spacing" >
<number>-1</number>
</property>
<item row="0" column="1">
<widget class="QLabel" name="textLabel2_3">
<property name="text">
<item row="0" column="1" >
<widget class="QLabel" name="textLabel2_3" >
<property name="text" >
<string>Clear all access lists then install new ones. This method may interrupt access to the firewall if you manage it remotely via IPSEC tunnel. This is the way access lists were generated in older versions of Firewall Builder for IOSACL.</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
<property name="buddy">
<property name="buddy" >
<cstring>iosacl_acl_basic</cstring>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLabel" name="textLabel3">
<property name="focusPolicy">
<item row="1" column="1" >
<widget class="QLabel" name="textLabel3" >
<property name="focusPolicy" >
<enum>Qt::ClickFocus</enum>
</property>
<property name="text">
<property name="text" >
<string>Do not clear access lists and object group, just generate IOSACL commands for the new ones. Use this option if you have your own policy installation scripts.</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
<property name="buddy">
<property name="buddy" >
<cstring>iosacl_acl_no_clear</cstring>
</property>
</widget>
</item>
<item row="3" column="1">
<item row="3" column="1" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
@ -356,58 +353,58 @@ interfaces.
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QLabel" name="textLabel4">
<property name="text">
<string>&quot;Safety net&quot; method:
<item row="2" column="1" >
<widget class="QLabel" name="textLabel4" >
<property name="text" >
<string>"Safety net" method:
First, create temporary access list to permit connections from the management subnet specified below to the firewall and assign it to outside interface. This temporary ACL helps maintain session between management station and the firewall while access lists are reloaded in case connection comes over IPSEC tunnel. Then clear permanent lists, recreate them and assign to interfaces. This method ensures that remote access to the firewall is maintained without interruption at a cost of slightly larger configuration.</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
<property name="buddy">
<property name="buddy" >
<cstring>iosacl_acl_substitution</cstring>
</property>
</widget>
</item>
<item row="4" column="0" colspan="2">
<widget class="QFrame" name="frame5">
<property name="frameShape">
<item row="4" column="0" colspan="2" >
<widget class="QFrame" name="frame5" >
<property name="frameShape" >
<enum>QFrame::StyledPanel</enum>
</property>
<property name="frameShadow">
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>11</number>
</property>
<item row="0" column="0" colspan="3">
<widget class="QLabel" name="iosacl_acl_temp_lbl">
<property name="text">
<item row="0" column="0" colspan="3" >
<widget class="QLabel" name="iosacl_acl_temp_lbl" >
<property name="text" >
<string>Temporary access list should permit access from this address or subnet (use prefix notation to specify subnet, e.g. 192.0.2.0/24):</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="2">
<item row="1" column="2" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>120</width>
<height>20</height>
@ -415,21 +412,21 @@ First, create temporary access list to permit connections from the management su
</property>
</spacer>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="iosacl_acl_temp_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="1" column="1" >
<widget class="QLineEdit" name="iosacl_acl_temp_addr" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>200</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<property name="maximumSize" >
<size>
<width>120</width>
<height>32767</height>
@ -437,15 +434,15 @@ First, create temporary access list to permit connections from the management su
</property>
</widget>
</item>
<item row="1" column="0">
<item row="1" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>110</width>
<height>20</height>
@ -456,41 +453,41 @@ First, create temporary access list to permit connections from the management su
</layout>
</widget>
</item>
<item row="0" column="0">
<widget class="QRadioButton" name="iosacl_acl_basic">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="0" column="0" >
<widget class="QRadioButton" name="iosacl_acl_basic" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<property name="text" >
<string/>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QRadioButton" name="iosacl_acl_no_clear">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="1" column="0" >
<widget class="QRadioButton" name="iosacl_acl_no_clear" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<property name="text" >
<string/>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QRadioButton" name="iosacl_acl_substitution">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="2" column="0" >
<widget class="QRadioButton" name="iosacl_acl_substitution" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<property name="text" >
<string/>
</property>
</widget>
@ -500,84 +497,84 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</widget>
<widget class="QWidget" name="installer_tab">
<attribute name="title">
<widget class="QWidget" name="installer_tab" >
<attribute name="title" >
<string>Installer</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_8">
<item row="0" column="0">
<widget class="QGroupBox" name="groupBox2">
<property name="title">
<layout class="QGridLayout" name="gridLayout_8" >
<item row="0" column="0" >
<widget class="QGroupBox" name="groupBox2" >
<property name="title" >
<string>Built-in installer</string>
</property>
<layout class="QGridLayout" name="gridLayout">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1_2">
<property name="text">
<layout class="QGridLayout" name="gridLayout" >
<item row="0" column="0" >
<widget class="QLabel" name="textLabel1_2" >
<property name="text" >
<string>User name used to authenticate to the firewall (leave this empty if you use putty session):</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="user">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="0" column="1" >
<widget class="QLineEdit" name="user" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel1_3">
<property name="text">
<item row="1" column="0" >
<widget class="QLabel" name="textLabel1_3" >
<property name="text" >
<string>Alternative name or address used to communicate with the firewall (also putty session name on Windows)</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignTop</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QLineEdit" name="altAddress">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<item row="1" column="1" >
<widget class="QLineEdit" name="altAddress" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<layout class="QHBoxLayout">
<item row="2" column="0" colspan="2" >
<layout class="QHBoxLayout" >
<item>
<widget class="QLabel" name="textLabel1_7">
<property name="text">
<widget class="QLabel" name="textLabel1_7" >
<property name="text" >
<string>Additional command line parameters for ssh</string>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="sshArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<widget class="QLineEdit" name="sshArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
@ -587,27 +584,27 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</item>
<item row="3" column="0" colspan="2">
<layout class="QHBoxLayout" name="_2">
<item row="3" column="0" colspan="2" >
<layout class="QHBoxLayout" name="_2" >
<item>
<widget class="QLabel" name="textLabel1_8">
<property name="text">
<widget class="QLabel" name="textLabel1_8" >
<property name="text" >
<string>Additional command line parameters for scp</string>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="scpArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
<widget class="QLineEdit" name="scpArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
@ -620,48 +617,48 @@ First, create temporary access list to permit connections from the management su
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="SCPgroupBox">
<property name="title">
<item row="1" column="0" >
<widget class="QGroupBox" name="SCPgroupBox" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout" name="gridLayout_3">
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="label">
<property name="text">
<string>Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then &quot;copy file running-config&quot; command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for IOS v12.4 or later and is much faster than running configuration line by line.</string>
<layout class="QGridLayout" name="gridLayout_3" >
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="label" >
<property name="text" >
<string>Instead of running generated configuration on the router line by line, installer can use scp to copy the file and then "copy file running-config" command to activate it. Ssh v2 and scp servers should be configured on the router for this to work. This method works for IOS v12.4 or later and is much faster than running configuration line by line.</string>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QCheckBox" name="use_scp">
<property name="text">
<item row="1" column="0" colspan="2" >
<widget class="QCheckBox" name="use_scp" >
<property name="text" >
<string>Copy generated configuration file to the router using scp</string>
</property>
</widget>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label_3">
<property name="text">
<string>File system on the router where configuration file should be saved if it is copied with scp. Examples: &quot;flash:&quot;, &quot;disk0:&quot;. Should end with a colon &quot;:&quot;. If this input field is left blank, installer uses &quot;nvram:&quot;:</string>
<item row="2" column="0" colspan="2" >
<widget class="QLabel" name="label_3" >
<property name="text" >
<string>File system on the router where configuration file should be saved if it is copied with scp. Examples: "flash:", "disk0:". Should end with a colon ":". If this input field is left blank, installer uses "nvram:":</string>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLineEdit" name="filesystem"/>
<item row="3" column="0" >
<widget class="QLineEdit" name="filesystem" />
</item>
<item row="3" column="1">
<spacer name="horizontalSpacer">
<property name="orientation">
<item row="3" column="1" >
<spacer name="horizontalSpacer" >
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>398</width>
<height>20</height>
@ -672,45 +669,45 @@ First, create temporary access list to permit connections from the management su
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="groupBox1">
<property name="title">
<item row="2" column="0" >
<widget class="QGroupBox" name="groupBox1" >
<property name="title" >
<string>External install script</string>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<property name="verticalSpacing">
<layout class="QGridLayout" name="gridLayout_2" >
<property name="verticalSpacing" >
<number>-1</number>
</property>
<item row="0" column="0">
<layout class="QHBoxLayout" name="horizontalLayout">
<item row="0" column="0" >
<layout class="QHBoxLayout" name="horizontalLayout" >
<item>
<widget class="QLabel" name="textLabel5_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<widget class="QLabel" name="textLabel5_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<property name="text" >
<string>Policy install script (using built-in installer if this field is blank):</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScript">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<widget class="QLineEdit" name="installScript" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
@ -720,36 +717,36 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout" name="horizontalLayout_2">
<item row="1" column="0" >
<layout class="QHBoxLayout" name="horizontalLayout_2" >
<item>
<widget class="QLabel" name="textLabel6_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Preferred">
<widget class="QLabel" name="textLabel6_2" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Preferred" hsizetype="Expanding" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="text">
<property name="text" >
<string>Command line options for the script:</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QLineEdit" name="installScriptArgs">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Fixed">
<widget class="QLineEdit" name="installScriptArgs" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Fixed" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<property name="minimumSize" >
<size>
<width>300</width>
<height>0</height>
@ -762,15 +759,15 @@ First, create temporary access list to permit connections from the management su
</layout>
</widget>
</item>
<item row="3" column="0">
<item row="3" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
@ -780,41 +777,41 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</widget>
<widget class="QWidget" name="prolog_epilog_tab">
<attribute name="title">
<widget class="QWidget" name="prolog_epilog_tab" >
<attribute name="title" >
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="leftMargin">
<layout class="QGridLayout" >
<property name="leftMargin" >
<number>20</number>
</property>
<property name="topMargin">
<property name="topMargin" >
<number>12</number>
</property>
<property name="rightMargin">
<property name="rightMargin" >
<number>20</number>
</property>
<property name="bottomMargin">
<property name="bottomMargin" >
<number>20</number>
</property>
<item row="0" column="0">
<widget class="QGroupBox" name="frame146">
<property name="title">
<item row="0" column="0" >
<widget class="QGroupBox" name="frame146" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="2" column="0">
<item row="2" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
@ -822,57 +819,57 @@ First, create temporary access list to permit connections from the management su
</property>
</spacer>
</item>
<item row="2" column="1">
<widget class="QPushButton" name="edit_prolog_button">
<property name="text">
<item row="2" column="1" >
<widget class="QPushButton" name="edit_prolog_button" >
<property name="text" >
<string>Edit</string>
</property>
</widget>
</item>
<item row="0" column="0">
<widget class="QLabel" name="textLabel2">
<property name="text">
<item row="0" column="0" >
<widget class="QLabel" name="textLabel2" >
<property name="text" >
<string>The following commands will be added verbatim on top of generated configuration</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="iosacl_prolog_script"/>
<item row="1" column="0" colspan="2" >
<widget class="QTextEdit" name="iosacl_prolog_script" />
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="frame147">
<property name="title">
<item row="1" column="0" >
<widget class="QGroupBox" name="frame147" >
<property name="title" >
<string/>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>6</number>
</property>
<item row="2" column="1">
<widget class="QPushButton" name="edit_epilog_button">
<property name="text">
<item row="2" column="1" >
<widget class="QPushButton" name="edit_epilog_button" >
<property name="text" >
<string>Edit</string>
</property>
</widget>
</item>
<item row="2" column="0">
<item row="2" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
@ -880,24 +877,24 @@ First, create temporary access list to permit connections from the management su
</property>
</spacer>
</item>
<item row="1" column="0" colspan="2">
<widget class="QTextEdit" name="iosacl_epilog_script"/>
<item row="1" column="0" colspan="2" >
<widget class="QTextEdit" name="iosacl_epilog_script" />
</item>
<item row="0" column="0" colspan="2">
<widget class="QLabel" name="textLabel2_2">
<property name="text">
<item row="0" column="0" colspan="2" >
<widget class="QLabel" name="textLabel2_2" >
<property name="text" >
<string>The following commands will be added verbatim after generated configuration</string>
</property>
<property name="textFormat">
<property name="textFormat" >
<enum>Qt::RichText</enum>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
<property name="margin">
<property name="margin" >
<number>0</number>
</property>
</widget>
@ -907,117 +904,117 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</widget>
<widget class="QWidget" name="logging_tab">
<attribute name="title">
<widget class="QWidget" name="logging_tab" >
<attribute name="title" >
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<item row="0" column="0">
<widget class="QCheckBox" name="generate_logging_commands">
<property name="text">
<layout class="QGridLayout" >
<item row="0" column="0" >
<widget class="QCheckBox" name="generate_logging_commands" >
<property name="text" >
<string>Generate logging commands</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QGroupBox" name="syslog_controls">
<property name="title">
<item row="1" column="0" >
<widget class="QGroupBox" name="syslog_controls" >
<property name="title" >
<string>Syslog</string>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>12</number>
</property>
<item row="0" column="1" colspan="2">
<widget class="QLineEdit" name="syslog_host"/>
<item row="0" column="1" colspan="2" >
<widget class="QLineEdit" name="syslog_host" />
</item>
<item row="0" column="0">
<widget class="QLabel" name="label599">
<property name="text">
<item row="0" column="0" >
<widget class="QLabel" name="label599" >
<property name="text" >
<string>Syslog host (name or IP address):</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="0">
<widget class="QLabel" name="label598">
<property name="text">
<item row="2" column="0" >
<widget class="QLabel" name="label598" >
<property name="text" >
<string>syslog facility:</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="0">
<widget class="QLabel" name="label640">
<property name="text">
<item row="3" column="0" >
<widget class="QLabel" name="label640" >
<property name="text" >
<string>syslog level ('logging trap'):</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="2">
<widget class="QComboBox" name="syslog_facility"/>
<item row="2" column="1" colspan="2" >
<widget class="QComboBox" name="syslog_facility" />
</item>
<item row="3" column="1" colspan="2">
<widget class="QComboBox" name="logging_trap_level"/>
<item row="3" column="1" colspan="2" >
<widget class="QComboBox" name="logging_trap_level" />
</item>
<item row="5" column="0" colspan="3">
<widget class="Line" name="hseparator39">
<property name="frameShape">
<item row="5" column="0" colspan="3" >
<widget class="Line" name="hseparator39" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="7" column="0" colspan="3">
<widget class="Line" name="hseparator40">
<property name="frameShape">
<item row="7" column="0" colspan="3" >
<widget class="Line" name="hseparator40" >
<property name="frameShape" >
<enum>QFrame::HLine</enum>
</property>
<property name="frameShadow">
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
</widget>
</item>
<item row="8" column="0" colspan="3">
<widget class="QLabel" name="label641">
<property name="text">
<item row="8" column="0" colspan="3" >
<widget class="QLabel" name="label641" >
<property name="text" >
<string>The logging timestamp command requires that the clock command be set.</string>
</property>
<property name="alignment">
<property name="alignment" >
<set>Qt::AlignVCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="9" column="0" colspan="3">
<widget class="QCheckBox" name="logging_timestamp">
<property name="text">
<item row="9" column="0" colspan="3" >
<widget class="QCheckBox" name="logging_timestamp" >
<property name="text" >
<string>Enable logging timestamps on syslog file</string>
</property>
</widget>
@ -1025,47 +1022,47 @@ First, create temporary access list to permit connections from the management su
</layout>
</widget>
</item>
<item row="2" column="0">
<widget class="QGroupBox" name="other_logging_controls">
<property name="title">
<item row="2" column="0" >
<widget class="QGroupBox" name="other_logging_controls" >
<property name="title" >
<string>Other logging destinations and levels:</string>
</property>
<layout class="QGridLayout">
<property name="margin">
<layout class="QGridLayout" >
<property name="margin" >
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QCheckBox" name="logging_buffered">
<property name="text">
<item row="0" column="0" >
<widget class="QCheckBox" name="logging_buffered" >
<property name="text" >
<string>Internal buffer</string>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QCheckBox" name="logging_console">
<property name="text">
<item row="1" column="0" >
<widget class="QCheckBox" name="logging_console" >
<property name="text" >
<string>Console</string>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QComboBox" name="logging_buffered_level"/>
<item row="0" column="1" >
<widget class="QComboBox" name="logging_buffered_level" />
</item>
<item row="1" column="1">
<widget class="QComboBox" name="logging_console_level"/>
<item row="1" column="1" >
<widget class="QComboBox" name="logging_console_level" />
</item>
</layout>
</widget>
</item>
<item row="3" column="0">
<item row="3" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>675</width>
<height>121</height>
@ -1075,24 +1072,24 @@ First, create temporary access list to permit connections from the management su
</item>
</layout>
</widget>
<widget class="QWidget" name="ipv6_tab">
<attribute name="title">
<widget class="QWidget" name="ipv6_tab" >
<attribute name="title" >
<string>IPv6</string>
</attribute>
<layout class="QGridLayout">
<item row="1" column="0">
<widget class="QLabel" name="label_2">
<property name="text">
<layout class="QGridLayout" >
<item row="1" column="0" >
<widget class="QLabel" name="label_2" >
<property name="text" >
<string>The order in which ipv4 and ipv6 rules should be generated:</string>
</property>
</widget>
</item>
<item row="1" column="1">
<item row="1" column="1" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>40</width>
<height>20</height>
@ -1100,26 +1097,26 @@ First, create temporary access list to permit connections from the management su
</property>
</spacer>
</item>
<item row="2" column="0">
<widget class="QComboBox" name="ipv4before_2">
<item row="2" column="0" >
<widget class="QComboBox" name="ipv4before_2" >
<item>
<property name="text">
<property name="text" >
<string>IPv4 before IPv6</string>
</property>
</item>
<item>
<property name="text">
<property name="text" >
<string>IPv6 before IPv4</string>
</property>
</item>
</widget>
</item>
<item row="3" column="0">
<item row="3" column="0" >
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>40</height>
@ -1131,17 +1128,17 @@ First, create temporary access list to permit connections from the management su
</widget>
</widget>
</item>
<item row="1" column="0">
<layout class="QHBoxLayout">
<item row="1" column="0" >
<layout class="QHBoxLayout" >
<item>
<spacer>
<property name="orientation">
<property name="orientation" >
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<property name="sizeType" >
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>20</height>
@ -1150,27 +1147,27 @@ First, create temporary access list to permit connections from the management su
</spacer>
</item>
<item>
<layout class="QHBoxLayout">
<layout class="QHBoxLayout" >
<item>
<widget class="QPushButton" name="ok_button">
<property name="text">
<widget class="QPushButton" name="ok_button" >
<property name="text" >
<string>OK</string>
</property>
</widget>
</item>
<item>
<widget class="QLabel" name="label583">
<property name="alignment">
<widget class="QLabel" name="label583" >
<property name="alignment" >
<set>Qt::AlignCenter</set>
</property>
<property name="wordWrap">
<property name="wordWrap" >
<bool>false</bool>
</property>
</widget>
</item>
<item>
<widget class="QPushButton" name="cancel_button">
<property name="text">
<widget class="QPushButton" name="cancel_button" >
<property name="text" >
<string>Cancel</string>
</property>
</widget>
@ -1231,11 +1228,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>accept()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1247,11 +1244,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>reject()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1263,11 +1260,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>editProlog()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1279,11 +1276,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>editEpilog()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1295,11 +1292,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1311,11 +1308,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>scriptACLModeChanged()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>20</x>
<y>20</y>
</hint>
@ -1327,11 +1324,11 @@ First, create temporary access list to permit connections from the management su
<receiver>iosaclAdvancedDialog_q</receiver>
<slot>toggleGenerateLogging()</slot>
<hints>
<hint type="sourcelabel">
<hint type="sourcelabel" >
<x>359</x>
<y>55</y>
</hint>
<hint type="destinationlabel">
<hint type="destinationlabel" >
<x>359</x>
<y>359</y>
</hint>

11
src/res/help/en_US/release_notes_4.0.0.html
View File

@ -918,6 +918,17 @@ rule sets of this object rather than in the actual firewalls.
does not make any changes to the router configuration.
</p>
<p>
Added support for the <b>object-group</b> statement in generated IOS
configuration. This helps reduce size of the geenrated access lists
when the router should match long lists of IP addresses or
ports. Both "network" and "service" object-groups are supported.
This feature is controlled by a checkbox in the "Advanced" settings
dialog of the firewall object; it requires IOS v12.4(20)T or later
and is off by default. Check if your version of IOS supports
"object-group" command before using!
</p>
<a name="pix"></a>
<h2>Changes in support for for Cisco ASA (PIX)</h2>

612
test/iosacl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1263599937" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1264043748" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Interface id="id19433X65694" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id19434X65694" name="firewall-ipv6-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
@ -140,34 +140,34 @@
<ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
<CustomService id="id4226X64279" name="dscp af11" comment="" ro="False" protocol="tcp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id8888X64279" name="esp dscp af12" comment="" ro="False" protocol="50" address_family="ipv4">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af12</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id26068X65694" name="esp dscp af11 ipv6" comment="" ro="False" protocol="50" address_family="ipv6">
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="id4511637323682" name="TagServices" comment="" ro="False"/>
@ -665,10 +665,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
@ -697,8 +697,8 @@
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -713,7 +713,7 @@
<Option name="mgmt_addr">1.1.1.100</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -734,9 +734,9 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
@ -1123,10 +1123,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -1139,21 +1139,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -1163,10 +1163,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1188,7 +1188,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1638,8 +1638,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -1657,7 +1657,7 @@
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -1666,10 +1666,10 @@
<Option name="iosacl_logging_console_level">3</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -1684,7 +1684,7 @@
<Option name="mgmt_addr">10.10.10.0/24</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1705,9 +1705,9 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
@ -2030,8 +2030,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -2043,10 +2043,10 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">True</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">True</Option>
@ -2055,10 +2055,10 @@
<Option name="iosacl_logging_console_level">5</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">True</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -2073,7 +2073,7 @@
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -2094,9 +2094,9 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -2453,34 +2453,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -2489,7 +2489,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -2498,13 +2498,13 @@
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2519,18 +2519,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2549,7 +2549,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2601,12 +2601,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -2968,34 +2968,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -3004,7 +3004,7 @@
<Option name="iosacl_acl_temp_addr">1.1.1.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -3013,13 +3013,13 @@
<Option name="iosacl_logging_console_level">2</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3038,14 +3038,14 @@
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3064,7 +3064,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3116,12 +3116,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3510,34 +3510,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -3546,7 +3546,7 @@
<Option name="iosacl_acl_temp_addr">10.1.1.0</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -3555,13 +3555,13 @@
<Option name="iosacl_logging_console_level">2</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3580,14 +3580,14 @@
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3606,7 +3606,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3658,12 +3658,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3804,34 +3804,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -3840,7 +3840,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -3849,13 +3849,13 @@
<Option name="iosacl_logging_console_level">1</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">1</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -3870,18 +3870,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -3900,7 +3900,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"/>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -3952,12 +3952,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -4284,10 +4284,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -4300,21 +4300,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -4324,10 +4324,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -4349,7 +4349,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -4482,8 +4482,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -4501,7 +4501,7 @@
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -4510,10 +4510,10 @@
<Option name="iosacl_logging_console_level">3</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -4528,7 +4528,7 @@
<Option name="mgmt_addr">10.10.10.0/24</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -4549,9 +4549,213 @@
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"/>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id47161X84238" host_OS="ios" inactive="False" lastCompiled="1261963349" lastInstalled="0" lastModified="1264043766" platform="iosacl" version="12.4" name="testios4" comment="using object-groups&#10;" ro="False">
<NAT id="id47242X84238" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id47179X84238" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id47180X84238" disabled="False" log="True" position="0" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6250X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47169X84238"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id47192X84238" disabled="False" log="True" position="1" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6263X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47169X84238"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id47204X84238" disabled="False" log="True" position="2" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6250X9455"/>
<ObjectRef ref="id6263X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47169X84238"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id47217X84238" disabled="False" group="" log="True" position="3" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id75678X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id47169X84238"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id47229X84238" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id47244X84238" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id47169X84238" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id47172X84238" name="testios4:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id47174X84238" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id47177X84238" name="testios4:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ios_ip_address">True</Option>
<Option name="ios_set_host_name">True</Option>
<Option name="iosacl_acl_basic">False</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">True</Option>
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">4</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">4</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">4</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="iosacl_use_object_groups">True</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr">10.10.10.0/24</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
@ -4595,16 +4799,16 @@
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
</ServiceGroup>
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
</CustomService>